Marks and Spencer (M&S) has suspended all sales via its website and mobile application as it continues to work to contain an unspecified cyber security incident.
“As part of our proactive management of a cyber incident, we have now made the decision to pause taking orders via our M&S.com websites and apps,” a spokesperson said in an update posted to social media platform X.
“Our product range remains available to browse online. We are truly sorry for this inconvenience. Our stores are open to welcome customers.”
Earlier in the week, M&S had said there was no need for customers to take any immediate action, and the spokesperson additionally confirmed this remains the case now. Should this change, this will be communicated.
“Our experienced team – supported by leading cyber experts – is working extremely hard to restart online and app shopping,” they said.
The cyber security incident began over the long Easter weekend and resulted initially in the suspension of contactless payments, and the click-and-collect online shopping service.
The expansion of its scope lends weight to growing speculation that M&S is dealing with some form of ransomware or extortion incident, although this has not been confirmed.
M&S is known to be working with third-party security providers and the National Cyber Security Centre (NCSC) to establish precisely what has happened, but as is often the case in such scenarios, in-depth information is rarely released during the initial incident investigation, as to do so can cause further problems for the victims.
“This latest update highlights that the incident is now having a material impact, with all online and app sales being paused,” said William Wright, CEO of security services provider Closed Door Security. “This will create a huge inconvenience for customers and will also significantly impact M&S financially. Data shows that almost a quarter of the store’s sales happen online, so no matter how long this pause is put in place, it will hurt M&S financially.”
Wright observed that although M&S’s official line is that customer data has not yet been impacted, this could easily change at any minute as new forensics findings come to light.
He reiterated general advice on preventing fraudsters and scammers from taking advantage of the crisis.
“M&S customers should keep an eye on their online accounts and bank statements and also be on guard,” he said. “We don’t know if criminals have accessed any customer data, but it’s always safer to be on guard.
Attackers will also use the ongoing incident to conduct phishing campaigns, with lures designed to look like genuine communications from M&S – possibly even claiming to offer further information on the incident – aimed at tricking their recipients into handing over personal or financial information.
“It is essential that online users take note of this threat and treat all communications with caution,” said Wright. “Avoid clicking on links and attachments from unknown senders and always check the address where an email is coming from. The best way to keep updated on information around the incident is to visit the M&S corporate website or monitor their official social channels.”
